Regular Expression (regex) match of base64_decode concatenated using PHP

Question

So i've been trying to build a regex for the past couple hours and i'm starting to go crazy in thinking if this is even possible or worth wild.

I have a script that scans PHP files checking MD5 sum for known malicious files, and certain strings. Most recently i've come across files where instead of using base64_decode in the PHP file, they are using variables and concatenating it so the scanner doesn't pick it up.

As an example here's the latest one I found:

$a='bas'.'e6'.'4_d'.'ecode';eval($a

So because the scanner searches for base64_decode this file wasn't picked up as they are using PHP to concatenate base64_decode in a variable, and then call the variable.

Forgive me because i've just started with regex, but is it even possible to search for something like this using regex? I mean, I understand and was able to get a regex that would match that exact one, but what about if they used this instead:

$a='b'.'ase'.'64_d'.'ecode';eval($a

It wouldn't be picked up because the regex was looking for ' then b then a, etc etc.

I've already added

(eval)\(\$[a-z]

To send me an email as a notice to check the file, i'll have to let it run for a couple days and see how many false positives show up, but my main concern is with the base64_decode

If someone could please shed some light on this for me and maybe point me in the right direction, I would greatly appreciate it.

Thanks!!

Answer 1

You can use this regexp:

b\W*a\W*s\W*e\W*6\W*4\W*_\W*d\W*e\W*c\W*o\W*d\W*e

It searches for base64_decode with any non-alphanumeric characters interspersed.